Wednesday, October 12, 2011

CVE-2011-3230 - Launch any file path from web page

CVE: CVE-2011-3230

Found By: Aaron Sigel

There's not a ton to say about this bug aside from "Yikes"! I think the PoC speaks for itself. This allows you to send any "file:" url to LaunchServices, which will run binaries, launch applications, or open content in the default application, all from a web page. The only caveat is that since LaunchServices will check for the quarantine bit, you cannot directly push a binary to the browser and launch it. Other than that, you can run or launch anything you can access by using the method in the html provided below.

Since the URL is just sent off to LaunchServices you cannot actually do a curl -O, but what you can do is push a file type that LaunchServices does not think is "unsafe", or use an absolute path that is not Quarantined, or a number of other creative things.

time to implement some stuff like SELinux @ my systemSsSzz... but for sure - my home is safe until now! *puuh* xD

nice burst, just droppin a few lines of code & see files you never thought... remember the time, when IE5 shows your HDD content -> your pc is not safe, "we non-hackerz" 0wn3d you - almost the same... ^^

Sorry if my PoC was unclear, but the point of putting /etc/passwd was to harmlessly demonstrate the nature of the bug. That is, with this bug you can trigger launch services to launch local paths, which should be disallowed by browsers. Fooling people by displaying world readable file in /etc was not the goal, and Mac OS X doesn't use this anymore for user accounts. The outcome depends on the file type bindings on your system. Ex: MachO binaries are handled by Terminal.app, so they run. Apple has a growing list of unsafe types known to LS, which are the only ones blocked, and then only if pushed to the user by a Quarantined application and never before opened (which clears Quarantine).

Side note: if you found something affected by this on Linux, it isn't this bug and you have found a new bug. Funnily enough, those fake pages with views of your local system invoked by a remote page were probably more dangerous than those folks realized, and is probably why it no longer works